spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: PermError: Too many DNS lookups at Microsoft.com

2006-05-07 07:54:39
from [Scott Kitterman] [Permanent Link] 
On Sat, 6 May 2006 23:53:59 -0400 "Hector Santos" 
<spf-discuss(_at_)winserver(_dot_)com> wrote:


----- Original Message -----
From: "Julian Mehnle" <julian(_at_)mehnle(_dot_)net>


Hector Santos wrote:

Too bad I was out of the loop when this decision was made.

Thats a major difference in SPF implementations and now you see the
effect for large SPF organization/networks wishing to support SPF.


It was also a major security hole in the old SPF specification that 

needed

to be fixed.


I don't disagree with the need for a fix. I disagree with the low ball SWAG
of 10 limit for lookup mechanisms.   It is too low IMO and I would venture 

a

PERMERROR is premature for many older SPF large organizations records.  For
all intent and purpose it places an artificial limit on the total domains
(10) a large site may use.


No it doesn't.  It says that beyond a certain level of complexity the 
outbound network needs to be described in terms of IP addresses or using 
exists:.   

I'd encourage you to go back and review the archives.  While 10 was arrived 
at emperically based on list consensus, there is more to it than a swag.  

There are ways to deal with this.  As an example, query the a records for 
relay.pair.com.  That's one mechanism that covers several physical boxes.  
Julian already mentioned exists:.  The limits can be worked within.  Now 
that the RFC is out, both records and SPF libraries need to be updated to 
conform to it.


Again:

   Classic SPF(Microsoft) = SoftFail
   Current SPF(Microsoft) = PermError


Yes.  They need to update.


It has nothing to do with a interoperability issue but a "human SWAG"
artificial limit.  Again, this is not a recursive issue where there was a
real security hole concern.


No, it was a DOS concern.  Please see the list archives.


I would think, that if I was in the loop when this was being decided, I
would suggested that the end result should be the same.  If other words, if
the complete exhausted result is a SOFTFAIL, then the cut off would be a
SOFTFAIL as well.


This gets into how one deals with an error (not is there an error).  That's 
a matter of receiver policy and a good topic for a BCP type document.


Anyway, what's written is written.  I would love to see what Microsoft has
to say or what they end up correcting it with.  Scott, have you contacted
them yet?



No, but I will.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: SPF project needs your help finishing new project website, Julian Mehnle
Next by Date:  [spf-discuss] Re: PermError: Too many DNS lookups at Microsoft.com, Julian Mehnle
Previous by Thread:  [spf-discuss] SPF project needs your help finishing new project website, william(at)elan.net
Next by Thread:  Re: [spf-discuss] Re: PermError: Too many DNS lookups at Microsoft.com, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]